How to Install ModSecurity with Apache on Ubuntu Linux

Share

This article describes steps one can take to install ModSecurity with Apache on Ubuntu Linux.

ModSecurity (also known as ModSec) is an open-source web application firewall (WAF). Initially developed as a module on Apache is now a full-fledged WAS that also supports Nginx and IIS.

Modric was developed to protect against many common attacks, including XSS, code injection, etc. Although works with Nginx and other web servers, it works even better with Apache, and that is why most run it with Apache.

ModSecurity can act as an extra security layer, detecting and preventing attacks before they reach the web application.

Below is how to install ModSec on Ubuntu Linux.

How to install ModSec with Apache on Ubuntu Linux

As described above, ModSec is an open-source web application firewall (WAF). Initially developed as a module on Apache is now a full-fledged WAS that also supports Nginx and IIS.

Below is how to install it with the Apache HTTP server.

Install ModSecurity and Apache

ModSec module is available in Ubuntu default repositories. All you need to do is run the commands below to install it with Apache.

sudo apt update
sudo apt install apache2 libapache2-mod-security2

To check that ModSec is installed, run the commands below.

apachectl -M | grep security

The command above should output a line below.

security2_module (shared)

If not enabled, you can enable the module by running the commands below.

sudo a2enmod security2
sudo systemctl reload apache2

Configure ModSecurity

When you install ModSec, its default rules are set to log suspicious activities only, and not take any actions. You will have to edit its configurations to modify the rules if you want to take preventive actions.

By default, the configuration file is at /etc/modsecurity/modsecurity.conf-recommended. To configure your environment based on the file, copy and rename it as modsecurity. conf.

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next, run the commands below to open the newly created config file.

sudo nano /etc/modsecurity/modsecurity.conf

Change the highlighted lines in the file from DetectionOnly to On.

# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On

# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.

SecRequestBodyAccess On

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type

Save and exit, then restart Apache.

sudo systemctl restart apache2

Add OWASP ModSecurity rules

OWASP CRS ModSec file contains recommenced security settings for most environments. You can use it in yours to protect your apps.

Clone the latest OWASP CRS from GitHub to the /usr/share/ directory by running the commands below.

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Next, rename the example file to crs-setup.conf.

sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Next, run the commands below to open the ModSec security configuration file.

sudo nano /etc/apache2/mods-enabled/security2.conf

Then edit the highlighted lines to enable the OWASP rules we downloaded above.

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity
		
        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
		
        # Include OWASP ModSecurity CRS rules if installed

        IncludeOptional /usr/share/modsecurity-crs/*.conf
        IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
</IfModule>

Save and exit.

Restart Apache and you’re good to go.

sudo systemctl restart apache2

To test that ModSec is running, run the commands below.

curl 'http://127.0.0.1/test.html?a=<script>alert(1);</script>'

You should get an output message similar to the one below:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

That should do it!

Conclusion:

This post showed you how to install and use ModSecurity with Apache on Ubuntu Linux. If you find any error above or have something to add, please use the comment form below.